Hackers take over remotely a Fiat Chrysler connected car

The popular hackers Charlie Miller and Chris Valasek have demonstrated how to hack a connected car remotely.

Charlie Miller and Chris Valasek do not need any introduction, they are two stars of the hacking community that have alerted several times automotive industry regarding the risks related to the hack of connected cars.

To demonstrate the feasibility of a cyber attack on a connected car and the related risks, the two experts have demonstrated hot to exploit weaknesses in an automobile system with cellular connectivity to hack the vehicle. The experts attacked Uconnect automobile system which is installed in many connected cars, including nearly 471,000 vehicles in the US. Charlie Miller and Chris Valasek demonstrated the attack by hacking a Jeep Cherokee equipped with the Uconnect system.

They have hacked the connected car remotely while the popular journalist Andy Greenberg was driving it.

“To better simulate the experience of driving a vehicle while it’s being hijacked by an invisible, virtual force, Miller and Valasek refused to tell me ahead of time what kinds of attacks they planned to launch from Miller’s laptop in his house 10 miles west. Instead, they merely assured me that they wouldn’t do anything life-threatening. Then they told me to drive the Jeep onto the highway. “Remember, Andy,” Miller had said through my iPhone’s speaker just before I pulled onto the Interstate 64 on-ramp, “no matter what happens, don’t panic.” wrote Greenberg.

The Uconnect is the connected car system chosen by Fiat Chrysler for its vehicles in the US market. This system allows the owners of the connected cars to interact with the vehicle remotely, it uses the Sprint cellular network to remain connected to the Internet. Car owners can dialog with their car by simply using their Smartphone, typical operation allowed are remote engine start, querying the vehicle to obtain the location, and activating anti-theft features.

Charlie Miller and Chris Valasek have exploited vulnerabilities in the connected car system in the Fiat Chrysler model that could allow hackers to scan Sprint’s cellular network for Uconnect-equipped vehicles to obtain car identification information and its location.

The experts demonstrated that they use these data to attack the connected car systems, by knowing their IP address the two hackers were able to to turn the engine of the car off, activate and de-activate the brakes, take remote control of the vehicle’s information display and entertainment system, and activate the windshield wipers.

Miller and Valasek also discovered that they could remotely control the steering of the Jeep Cherokee.

“As the two hackers remotely toyed with the air-conditioning, radio, and windshield wipers, I mentally congratulated myself on my courage under pressure. That’s when they cut the transmission. Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun. ” continues Greenberg.

The hack demonstrated by the two researcher id disconcerting, the flaws (now patched) affecting the Uconnect connected car system could allow a hacker to run a cyber attack against any vehicle from practically everywhere, and it isn’t a sci-fi movie.

On July 16, Fiat Chrysler informed its customers of the vulnerability affecting its Jeep model, the company published a notice on its website, the worrying aspect of the story is that the patch issued by the company must be manually installed by using a USB drive.

Not sure that this is an operation that any customer is able to do autonomously.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.